Be Careful Out There

As I continue to clear out the news chum, here are some articles related to security, trust, safety, and cyber. In short: be worried, be suspicious, and everything is not as it seems:

Can You Believe Your Eyes? We’ve all been taught that “seeing is believing”. But is it? We live in an era of forgeries: email can be faked (and has been), and videos can be doctored. I’m sure you’ve all heard about “deepfakes”: Where AI is used to put a different face on a body in a porn video, creating celebrity porn without the real celebrity. The LA Times has an interesting article on the rise of fake videos and their implications. Just think about this: What damage could a faked video do when it spreads on the internet? How could a fake be used for propaganda purpose? We’ve been given the blessing of technology, but its misuse could be the downfall of society (as the 2016 election has shown, with the Russian manipulation of the US electorate through technology).

Financial Scams. The last few years have seen the growth of person to person online financial exchanges like Venmo and Zelle. But the scams are growing as well. The services were intended for use between transfers between people that know and trust each other. There are no safeguards for scammers and fraud, unlike services like PayPal. This is starting to bite people in the butt. Remember: Only Venmo/Zelle funds to someone you know and trust in real life. Once the funds are gone, they are gone.

The Green Padlock. Starting in July, the Chrome browser will mark all sites using the original web protocol, HTTP, as insecure. This is because the protocol does not provide end-to-end security. I initially believed that was overkill: there are many static sites with no forms, that only serve as information providers. Why do they need encrypted transport? But a discussion of the issue highlighted the reason behind Google’s actions. Even for such sites, moving to HTTPS provides assurance that the data coming from the site is what is being received by the consumer of information. In other words, it prevents man-in-the-middle attacks to insert false data, advertising, or malware. I’ve taken the steps to secure my site for the highway pages, and will be doing it for subsidiary pages in the coming months.

Paying for Security. One of the biggest problems that security has is that it is often invisible. If the mechanisms work, nothing bad happens, and you don’t know it is there. It is like high quality building codes, that you don’t discover saved your house until everyone else’s house burned down. As such, consumers haven’t wanted to pay for security; they want new features and whells and bistles, Software and hardware vendors couldn’t justify costly new releases that just added security. Luckily, that’s all changing — a new survey shows that consumers now prefer security over convenience. Will things stay that way? Will the convenience of a simple facial recognition overtake the security of two-factor authentication? Stay tuned.

Fixing Vulnerabilities. Vulnerabilities are on the rise, and keeping up can be hard. Here’s an interesting article that highlights the fact that not all vulnerabilities end up in the CVE/NVD database; and thus relying on that database as your sole source of vulnerability information is a bad idea. For those of us who assess for obvious vulnerabilities, this is an important observation. It is also vitally important to understand that a vulnerability is not the same as a risk. Sceptre and Mindfuck (no) Meltdown are good examples. They are vulnerabilities, and their patches are causing incredible slowdowns, but how easy are they to exploit, and what can they leak? A determined adversary will find a way to exploit anything, but the casual “script kiddie” hacker may not find much utility. The same, by the way, is true of gun laws. Gun control will affect law abiding folk, but the determined adversary will find a way. That’s why it is important not only to address the symptom of the problem — the gun control, the identified vulnerability — but to address the source of the problem. We need to engineer-in safety and security in all of our systems — human and technical — from day 0 to identify and prevent problems BEFORE they happen.

Securing the Internet of Things. One increasing risk is the Internet of Things. More and more, everything is being connected to the Internet. Often, what is connected are low-criticality devices (solar panels, refrigerators, light bulbs, dishwashers) with poor security protocols. Miscreants can then use those devices as stepping stones to get a trusted position in a network to jump to a more critical site, or to host a bot net or cryptocurrency mining operation. Luckily, NIST is working on standards for IOT security — and those standards are out for draft and comment.